A recent security upgrade at PNC Financial Services Group is preventing some customers from connecting their bank accounts to the peer-to-peer (P2P) payment platform Venmo, according to The Wall Street Journal. The upgrade prevented data aggregator Plaid from accessing customers’ account and routing numbers, information the platform uses to facilitate transactions between fintechs and financial institutions.
When customers took to Twitter to complain, PNC suggested they instead use Zelle, a payment platform operated by Early Warning and owned by a consortium of the country’s largest banks, including PNC.
Although many financial institutions and fintech companies have found ways to work together, the Venmo-PNC tiff is an example of how access to customers’ financial data can become a point of friction.
Fintechs need the data to operate, but a bank can cite proprietary or security concerns as a reason to deny a third party access to the data.
PNC said it started blocking aggregators from gaining access to customers' account numbers and routing numbers after it identified "multiple different aggregators" attempting to circumvent the bank's security protocol.
"When aggregators access account numbers, many store them indefinitely, often unbeknownst to customers," Karen Larrimer, head of retail banking and chief customer officer at PNC, told the Journal. "This puts customers and their money at risk. We want to make sure we know who is setting up the account."
PNC said it asked Plaid and other aggregators to make changes to their own systems to meet the bank’s security requirements. Plaid said it had already worked with the bank to provide requested system updates.
"Protecting consumers needs to be a joint priority, and we work with thousands of other banks to make sure their customers are never in this situation," John Pitts, Plaid's head of policy and advocacy, told The Journal.
Customers can bypass Plaid and continue to use Venmo by manually entering their account information, PNC said. But adding the step usually takes one to two days.
On the other side of the Atlantic, the European Union has taken a different approach to customer data, which is seen as belonging to the customer, and not proprietary to a bank.
The EU Payments Services Directive (PSD2) mandates that financial institutions allow third-party operators to access customer data — if a consumer gives consent.
The directive also aims to create an equal playing field and promote competition in the payment market.
Stephen Greer, a banking analyst at consulting firm Celent, told the Journal he expects the U.S. will eventually follow the EU and other nations in shifting their philosophy on customer data.